Merge pull request #9338 from lafirest/fix/jwt_acl

fix(jwt): fix the jwt ACL will return a wrong result when the token is expired

apps/emqx_auth_jwt/src/emqx_auth_jwt.erl

@@ -67,7 +67,7 @@ check_acl(ClientInfo = #{jwt_claims := Claims},
             case is_expired(Exp) of
                 true ->
                     ?DEBUG("acl_deny_due_to_jwt_expired", []),
-                    deny;
+                    {stop, deny};
                 false ->
                     verify_acl(ClientInfo, Acl, PubSub, Topic)
             end;

apps/emqx_auth_jwt/test/emqx_auth_jwt_SUITE.erl

@@ -462,6 +462,16 @@ t_check_jwt_acl_expire(_Config) ->
        {ok, #{}, [?RC_NOT_AUTHORIZED]},
        emqtt:subscribe(C, <<"a/b">>, 0)),
 
+    Default = emqx_zone:get_env(external, acl_nomatch, deny),
+    emqx_zone:set_env(external, acl_nomatch, allow),
+    try
+        ?assertMatch(
+           {ok, #{}, [?RC_NOT_AUTHORIZED]},
+           emqtt:subscribe(C, <<"a/b">>, 0))
+    after
+        emqx_zone:set_env(external, acl_nomatch, Default)
+    end,
+
     ok = emqtt:disconnect(C).
 
 t_check_jwt_acl_no_exp(init, _Config) ->

changes/v4.3.23-en.md

@@ -7,3 +7,5 @@
 - Print a warning message when boot with the default (insecure) Erlang cookie [#9340](https://github.com/emqx/emqx/pull/9340).
 
 ## Bug fixes
+
+- Fix a bug where the JWT ACL would not short-circuit with a deny response when the token is expired [#9338](https://github.com/emqx/emqx/pull/9338).

changes/v4.3.23-zh.md

@@ -7,3 +7,5 @@
 - 使用默认的(不安全的) Erlang cookie 进行启动时，将会打印一条警告信息 [#9340](https://github.com/emqx/emqx/pull/9340)。
 
 ## 修复
+
+- 修复 JWT ACL 在令牌超期后授权检查不生效的问题 [#9338](https://github.com/emqx/emqx/pull/9338)。